Hi,

My primary and secondary name servers are getting pounded at the rate of tens of thousands of queries a minute. Almost all of the queries are the same (except they come from a different ip.

Aug 17 12:41:00.731 info: client 206.64.118.229#58327: query: outworks.com IN A
Aug 17 12:41:00.731 info: client 206.64.118.229#58327: query (cache) denied

I don't allow recursion, so they are being denied but it is driving up my cpu load.

With the help of thePlanet I've added a blackhole option that drops queries from offending IP's as soon as they come in. This helps, but every 20-30 minutes a new IP starts hammering me.

Questions:

1) How did I get on someone's feces-list so that I'm getting pounded.

2) Is there another way I can stop this without having to monitor the queries ever 15min and blacklisting them and still allow normal request for domains that I'm authorative for?

3) Anyone else had this problem?

Bob

I would block all ports - wait a while and then re-open them again.

That wouldn't be a good solution, downtime + the attack will most likely continue.

So these are udp's with spoofed ip address. hmmm

Originally posted by fusionx1
I would block all ports - wait a while and then re-open them again.

Wouldn't this disable my dns's? I need them to do reverse IP' checks for incomming e-mail, and to resolve client domains.

Bob

Yes sorry - that was a bad idea.
Are the IP's all from the same class?
If so, you could just block the class IP
beginnning:
206.64

Originally posted by fusionx1
Yes sorry - that was a bad idea.
Are the IP's all from the same class?

IP's are not from the same class. They jump all over the place. Generally come in pairs of two from same class.

Yes, okay - have you done a tracert on these IP's?
Maybe then you can identify a common server through which they all pass...

Originally posted by datums
That wouldn't be a good solution, downtime + the attack will most likely continue.

So these are udp's with spoofed ip address. hmmm

I'm not sure if the IP's are spoofed. How can I tell?

Yes, okay - have you done a tracert on these IP's?

That would be a good idea - you can then do some diagnostic work;)

What you could do is install a firewall like APF. The firewall is smart enough to recognize these incoming attacks and auto-drop packets for each IP is they exceed a certain packet/minute load.

I highly recommend trying out APF, it may do the trick, and it has saved me from this in the past.

Alternatively, you could allow all of these packets to get through and then fire them back!!!

Nasty but it may just work...

(Not sure how legal that is though:rolleyes: )

Greetings:

See http://www.cymru.com/Documents/secure-bind-template.html

Secure your DNS.

Thank you.

thanks for the link

Originally posted by dynamicnet
Greetings:

See http://www.cymru.com/Documents/secure-bind-template.html

Secure your DNS.

Thank you.

Hi,

Thanks for the link. I looked at this yesterday and I had "almost" everything in place. What I didn't have was the long list of "bogus" IP's to black hole. I didn't see them in the query log so I didn't see the need to burden bind with that large of a reject list.

I've added all but the "10." range and will monitor the results.

At first glance it "appears" to be helping. 198.133.74.210 just popped up in the logs, but is only hitting me a couple hundred times a minute.

How common is this, and "why". I run a "family" friendly hosting service, and up until now didn't have any enemies. Since the request are being "denied" I don't see the point, unless this is truely intended as a DOS.

The tracerouts to the "client IP's" assuming they are not spoofed are often have "alter.net" or "uu.net" in last couple hops.

Bob

Greetings Bob:

According to Symantec Corporation, 60% to 70% of all attacks (hacks, cracks, etc.) on the Internet are random.

This means everyone is subject to being abused; and it is not a matter of how nice a person you or your business are in the world.

Thank you.